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GENERATING USER-DEPENDENT KEYS 
AND RANDOM NUMBERS 

RELATED APPLICATIONS 

The present application is related to commonly assigned 
and concurrently filed U.S. patent application Ser. No. 
09/324,308, entitled "GENERATING USER-DEPENDENT 
RSA KEYS," the disclosure of which is incorporated herein 
by reference as if set forth fully. 

FIELD OF THE INVENTION 

The present invention relates to cryptography and more 
particularly to the generation of cryptographic key values 
and/or pseudo random numbers, 

BACKGROUND OF THE INVENTION 

In cryptography it is often useful to generate a key value 
for use in the cryptographic process. Such key values are 
typically generated by a pseudo random number generator 
utilizing a secret seed value. Problems may arise, however, 
if the cryptographic code is broken by an unauthorized party. 
For example, if the unauthorized party learned the secret 
seed value, the unauthorized party could then duplicate the 
cryptographic key value utilizing the secret seed value. In 
such a case, there may be no way to audit the source of the 
encrypted information to determine whether the information 
was generated by an authorized party or an unauthorized 
party. Furthermore, there may be no mechanism for authen- 
ticating the cryptographic key based on an individual user. 
Also, when the encryption key of a single user of a group of 
users which share encryption methodologies is 
compromised, the entire group may be compromised as the 
encryption is not dependent on the identity of the user within 
the group. 

In general, mechanisms for differentiating between users 
are known. For example, a particular individual can be 
identified or verified through a user identifier (such as a 
globally unique name) or biometric data (such as fingerprint, 
hand geometry, iris pattern, facial features, voice 
characteristics, handwriting dynamics, earlobe 
characteristics, etc.). 

As is well known to those having skill in the art, biometric 
information is one or more behavioral and/or physiological 
characteristics of an individual. Biometric identification 
and/or verification uses a data processing system to enable 
automatic identification and/or verification of identity by 
computer assessment of a biometric characteristic. In bio- 
metric verification, biometric information is verified for a 
known individual. In biometric identification, biometric 
information for an individual is compared to known bio- 
metric information for many individuals in order to identify 
the individual. 

Biometric identification/verification systems, methods 
and computer program products can measure one or more of 
the following behavioral and/or physiological characteristics 
of an individual: fingerprint, hand geometry, iris pattern, 
facial features, voice characteristics, handwriting dynamics, 
earlobe characteristics and keystroke dynamics. Other bio- 
metric characteristics may be used. Applications using bio- 
metric technologies include biometric check cashing 
machines, payment systems that substitute biometric data 
for personal identification numbers, access control systems 
that use biometric data, biometric employee time and atten- 
dance recording and biometric passenger control for trans- 
portation. Many other applications may utilize biometric 



information for identification and/or verification. See the 
publications entitled "Biometrics, Is it a Viable Proposition 
for Identity Authentication and Access Control", to Kim, 
Computers & Security, Vol. 14, 1995, pp. 205-214; "A 

5 Robust Speaker Verification Biometric", to George et al., 
Proceedings, the IEEE 29 th International Carnahan Confer- 
ence on Security Technology, October 1995, pp. 41-46; "On 
Enabling Secure Applications Through Off-line Biometric 
Identification", to Davida et al., Proceedings of the IEEE 

10 Computer Society Symposium on Research in Security and 
Privacy, 1998, pp. 148-157; and "Biometric Encryption: 
Information Privacy in a Networked World", to Brown et al., 
EDI Forum: The Journal of Electronic Commerce, v. 10, No. 
3, 1997, pp. 37-43. However, while biometric identification 

is and user identification may allow for identification of users, 
these existing uses may not allow for authentication of the 
source of encryption keys. 

In the above cited Davida et al. publication, in Section 5.2 
it was proposed that biometrics could be used with or as 

20 keys. However, Davida et al. assumes that the biometric 
information is secret information. Furthermore, Davida et al. 
may not work for any size key and describes a procedure 
which may not allow for precomputing information for 
generation of a key value. Furthermore, the proposal of 

25 Davida et al. may allow two users to generate the same key 
values and, thus, does not assure that the generated keys are 
disjoint. 

In light of the above discussion, a need exists for improve- 
ments in the generation of encryption keys. 

30 

SUMMARY OF THE INVENTION 

In view of the above discussion, it is an object of the 
present invention to provide cryptographic values which 
may be authenticated. 

A further object of the present invention is to provide for 
the generation of cryptographic values which may be 
audited to determine the user which generated the crypto- 
graphic values. 

These and other objects of the present invention may be 
provided by methods, systems and computer program prod- 
ucts which generate a cryptographic value utilizing user 
specific information to generate a user dependent value. The 
user specific information may be a globally unique user 
identification or biometric information associated with a 
user. In particular embodiments of the present invention a 
seed value is modified with biometric information to gen- 
erate a user dependent key value. In alternative embodi- 
ments a cryptographic value is hashed or otherwise modified 
50 with user specific information or user specific information is 
hashed and then combined with the cryptographic value to 
generate the user dependent cryptographic value. In still 
another embodiment of the present invention cryptographic 
values are generated in a user specific subspace of the space 
ss of potential cryptographic values. Thus, the generated cryp- 
tographic values for different users may be guaranteed to be 
disjoint. 

In specific embodiments of the present invention, user 
specific information about a user is obtained and a seed 

60 value of a key generation procedure is modified with the user 
specific information so that the key generation procedure 
generates a user dependent cryptographic key. The key 
generation procedure may be a pseudo random number 
generator (PRNG) in which case the seed value for the 

65 PRNG is modified with the user specific information. 

In a particular embodiment of the present invention, the 
seed value is modified by concatenating the user specific 
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information with the seed value so as to provide a user generation procedure selects a cryptographic value. In a 
specific seed value. Furthermore, the seed value may be particular embodiment, the user specific information corn- 
further modified by mixing bits of the user specified seed prises b bits, the cryptographic values comprises n bits and 
value so as to increase the uniformity of a distribution of the user specific range is determined by dividing the range 
entropy in the user specified seed value. 5 of potential cryptographic values into 2 b subspaces. One of 
In an alternative embodiment of the present invention, a the subspaces is then selected as the user specific range of 
cryptographic value is generated by obtaining non-secret cryptographic values based on the user specific information, 
user specific information about a user and obtaining an In a further embodiment, bits of the selected user dependent 
initial cryptographic value by, for example, obtaining a cryptographic value are mixed so as to increase the unifor- 
pseudo random number from a pseudo random number 1° mitv °f a distribution of entropy in the user dependent 
generator. The initial cryptographic value is theD modified cryptographic value. 

with the non-secret user specific information so as to provide In a sti U further embodiment of the present invention, the 

a user dependent cryptographic value. In particular, the source of a cryptographic value is authenticated by obtaining 

initial cryptographic value may be modified by hashing the entitv specific information associated with a source entity 

initial cryptographic value and the non-secret user specific ^ and modifying a specified cryptographic value with the 

information utilizing a one-way hash operation so as to entitv specific information to produce a branded value, 

generate the user dependent cryptographic value. When the branded value is received, the entity specific 

In a still further embodiment of the present invention, the "formation is recovered from the received branded value, 

user dependent cryptographic value (S) comprises n bits, the ™ e u entl ? of u thc rcccive f brandcd va ] ue f lhcn 

results of the hash operation provides h bits and the step of 20 determined based on the recovered entity specific informa- 

hashing involves determining an intermediate hash value (Z) tl0 °' . , , c , ... 

utilizing the concatenation of hash values denned by, In P 3 ^" embodiments of the present invention, the 

entity specific information comprises bio metric data from a 

z-H{R,B)\)p(R+A#)\W+iM\ . . . H(R+a,B) user. Alternatively, the entity specific information may be a 

25 globally unique user identification associated with a user, 
where H is the one way hash operation, B is the non-secret Furthermore, the entity specific information may be a corn- 
user specific information and a is the largest integer smaller p anv identification. 

than n/h. The user dependent cryptographic value is then In one embodiment of the present invention, the specified 

generated by selecting n bits from Z to provide the user cryptographic value is modified by modifying a seed value 

dependent cryptographic value. 30 of a key generation procedure with the entity specific 

In one embodiment the selected n bits are the n most information so that the key generation procedure generates 

significant bits of Z. a user dependent cryptographic key as the branded value. In 

In another alternative embodiment for generating a cryp- such a case? the recoV ery of the entity specific information 

tographic value an initial cryptographic value is obtained. A and the ^termination of the source entity may be made by 

final intermediate hash value resulting from hashing user 35 generating a second branded value utilizing an expected 

specific information about a user utilizing a one-way hash seed valuc and me entity spedfic in f orrnat i on and the key 

operation is also obtained. The final intermediate hash value generation procedure and then comparing the generated 

is combined with the initial cryptographic value so as to second branded value ^ me reC eived branded value, 

provide the user dependent cryptographic value. [n another embodiment of the present invention, the 

In a particular embodiment of such an alternative 40 specined cryptographic value is modified by hashing the 

embodiment, the user dependent key value (S) comprises n specified cryptographic value and the entity specific infor- 

bits and the results of the hash operation provides h bits. The ma tion utilizing a one-way hash operation so as to generate 

hashing then involves determining a first intermediate hash the branded value. In such a case, the recovery of the entity 

value (Z) utilizing the concatenation of hash values defined spe cific information from the received branded value and the 
by, 

45 determination of the source entity of the received branded 

z-h(b) [|tf(i?+i)!l//(if+2)|| . . . H(B+a) value mav be accomplished by generating a second branded 

value by hashing an expected specified cryptographic value 

where H is the one way hash operation, B is the user specific and the entity specific information utilizing the one-way 

information and a is the largest integer smaller than n/h. The hash function. The generated second branded value is then 

final intermediate hash value is then provided by selecting n 50 compared with the received branded value to determine the 

bits from Z. The selected n bits may be the n most significant source entity of the branded value. 

bits of Z. In yet another embodiment of the present invention, the 

In a further aspect of the alternative embodiment, the final specified cryptographic value is modified by obtaining a 

intermediate hash value and the initial cryptographic value final intermediate value as a function of the entity specific 

are combined by EXCLUSIVE ORing the initial crypto- 55 information and then combining the final intermediate value 

graphic value and the final intermediate hash value. with the specified cryptographic value so as to provide the 

Preferably, the final intermediate hash value is stored so as branded value. In such a case, the recovery of the entity 

to provide a pre -computed intermediate hash value. In such specific information from the received branded value and the 

a case, the final intermediate hash value may be obtained by determination of the source entity of the received branded 

accessing the stored pre-computed intermediate hash value. 60 value may be accomplished by generating a second branded 

In yet another alternative embodiment of the present value by combining an expected specified cryptographic 

invention, user specific information about a user is obtained value and the final intermediate value. The generated second 

and a user dependent cryptographic value selected from a branded value is then compared with the received branded 

user specific range of cryptographic values determined value to determine the source entity of the branded value, 

based on the user specific information. The user specific 65 In a still further embodiment of the present invention, the 

range of cryptographic values comprises a subspace of a specified cryptographic value is modified by selecting a 

range of potential cryptographic values from which a value value from an entity specific range of cryptographic values 
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based on the user specific information. The entity specific 
range of cryptographic values comprises a subspace of a 
range of potential cryptographic values from which a value 
generation procedure selects a cryptographic value. In such 
a case, the recovery of the entity specific information from 5 
the received branded value and the determination of the 
source entity of the received branded value may be accom- 
plished by determining if the received branded values is 
within the entity specific range of cryptographic values 
associated with the source entity of the received branded 10 
value. 

As will further be appreciated by those of skill in the art, 
the present invention may be embodied as methods, 
apparatus/systems and/or computer program products. 

15 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is diagram of a data processing system suitable for 
use with the present invention; 

FIG. 2 is a detailed view of a data processing system 20 
suitable for use with the present invention; 

FIG. 3 is a flowchart illustrating operations according to 
one embodiment of the present invention; 

FIG. 4 is a flowchart illustrating operations according to 
a first alternative embodiment of the present invention; 25 

FIG. 5 is a flowchart illustrating operations according to 
a second alternative embodiment of the present invention; 

FIG. 6Ais a flowchart illustrating operations according to 
a third alternative embodiment of the present invention; 3Q 

FIG. 6B is a flowchart illustrating operations of a pre- 
ferred embodiment of the third alternative embodiment 
illustrated in FIG. 6A; 

FIG. 7 is a flowchart illustrating operations according to 
a fourth alternative embodiment of the present invention; 35 
and 

FIG, 8 is a flowchart illustrating authentication/auditing 
of a branded value according to one embodiment of the 
present invention. 

40 

DETAILED DESCRIPTION OF THE 
INVENTION 

The present invention now will be described more fully 
hereinafter with reference to the accompanying drawings, in 45 
which preferred embodiments of the invention are shown. 
This invention may, however, be embodied in many different 
forms and should not be construed as limited to the embodi- 
ments set forth herein; rather, these embodiments are pro- 
vided so that this disclosure will be thorough and complete, 5Q 
and will fully convey the scope of the invention to those 
skilled in the art. Like numbers refer to like elements 
throughout. 

The present invention can be embodied as systems, 
methods, or computer program products for generating a 55 
user dependent cryptographic key or any other value or 
quantity used in cryptography. As will be appreciated by 
those of skill in the art, a cryptographic key may be a random 
number or other value generated utilizing a seed value. Thus, 
while the present invention is described with reference to 60 
generating a cryptographic key, as used herein, that term is 
intended to include the generation of a pseudo-random 
number as such a number may be utilized as a cryptographic 
key or other value used in cryptography. 

As will be further appreciated by those of skill in the art, 65 
the present invention can take the form of an entirely 
hardware embodiment, an entirely software (including 
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firmware, resident software, micro-code, etc.) embodiment, 
or an embodiment containing both software and hardware 
aspects. Furthermore, the present invention can take the 
form of a computer program product on a computer-usable 
or computer-readable storage medium having computer- 
usable or computer-readable program code means embodied 
in the medium for use by or in connection with an instruction 
execution system. In the context of this document, a 
computer-usable or computer- readable medium can be any 
means that can contain, store, communicate, propagate, or 
transport the program for use by or in connection with the 
instruction execution system, apparatus, or device. 

The computer-usable or computer-readable medium can 
be, for example but not limited to, an electronic, magnetic, 
optical, electromagnetic, infrared, or semiconductor system, 
apparatus, device, or propagation medium. More specific 
examples (a nonexhaustive list) of the computer-readable 
medium would include the following: an electrical connec- 
tion having one or more wires, a portable computer diskette, 
a random access memory (RAM), a read-only memory 
(ROM), an erasable programmable read-only memory 
(EPROM or Flash memory), an optical fiber, and a portable 
compact disc read-only memory (CD-ROM). Note that the 
computer-usable or computer- readable medium could even 
be paper or another suitable medium upon which the pro- 
gram is printed, as the program can be electronically 
captured, via, for instance, optical scanning of the paper or 
other medium, then compiled, interpreted, or otherwise 
processed in a suitable manner if necessary, and then stored 
in a computer memory. 

Referring now to FIG. 1, an exemplary embodiment of a 
computer system 30 in accordance with the present inven- 
tion typically includes input devices 32, such as a keyboard 
or keypad 31, a microphone 42 and/or preferably, a biomet- 
ric information input device 35. The computer system 30 
also preferably includes a display 34 and a memory 36 that 
communicate with a processor 38. The computer system 30 
may further include a speaker 44 and an I/O data port(s) 46 
that also communicate with the processor 38. The I/O data 
ports 46 can be used to transfer information between the 
computer system 30 and another computer system or a 
network (e.g., the Internet). FIG. 1 also illustrates that 
computer system 30 may include a storage device 40 which 
communicates with memory 36 and processor 38. Such a 
storage device may be any type of data storage device as 
described above. These components are included in many 
conventional computer systems (e.g., desktop, laptop, or 
handheld computers) and their functionality is generally 
known to those skilled in the art. 

Furthermore, while the present invention is described 
with respect to the computer system 30, as will be appreci- 
ated by those of skill in the art, the present invention may be 
incorporated into many other devices where cryptographic 
keys are generated and, thus, may comprise an embedded 
function in many other devices. Thus, the present invention 
should not be construed as limited to use in computer 
systems such as illustrated in FIG. 1 but may be incorporated 
in any device having sufficient processing capabilities to 
carry out the operations described below. 

FIG. 2 is a more detailed block diagram of the computer 
system 30 that illustrates one application of the teachings of 
the present invention. The processor 38 communicates with 
the memory 36 via an address/data bus 48. The processor 38 
can be any commercially available or custom microproces- 
sor or other processing system capable of carrying out the 
operations of the present invention. The memory 36 is 
representative of the overall hierarchy of memory devices 
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containing the software and data used to implement the 
functionality of the computer system 30. The memory 36 
can include, but is not limited to, the following types of 
devices: cache, ROM, PROM, EPROM, EEPROM, flash, 
SRAM, and DRAM. 

As shown in FIG, 2, the memory 36 may hold four major 
categories of software and data used in the computer system 
30: the operating system 52; the application programs 54; 
the input/output (I/O) device drivers 58; and the data 56. The 
I/O device drivers 58 typically include software routines 
accessed through the operating system 52 by the application 
programs 54 to communicate with devices such as the input 
devices 32, the display 34, the speaker 44, the microphone 
42, the I/O data port(s) 46, and certain memory 36 compo- 
nents. The application programs 54 comprise the programs 
that implement the various features of the computer system 
30 and preferably include at least one application module or 
object for key generation 60 which carries out the operations 
of the present invention as described below. Finally, the data 
56 represents the static and dynamic data used by the 
application programs 54, operating system 52, I/O device 
drivers 58, and any other software program that may reside 
in the memory 36. As illustrated in FIG. 2, the data 56 
preferably includes a secret seed value 70 and biometric or 
other user specific data 72. Additional intermediate data (not 
shown) may also be stored in memory. Furthermore, while 
the present invention is described as an application execut- 
ing on computer system 30, as will be appreciated by those 
of skill in the art, the present invention may be implemented 
in any number of manners, including incorporation in oper- 
ating system 52 or in an I/O device driver 58. 

The present invention will now be described with respect 
to FIGS. 3 through 8 which are flowchart illustrations of 
embodiments of the present invention. It will be understood 
that each block of the flowchart illustrations, and combina- 
tions of blocks in the flowchart illustrations, can be imple- 
mented by computer program instructions. These program 
instructions may be provided to a processor to produce a 
machine, such that the instructions which execute on the 
processor create means for implementing the functions 
specified in the flowchart block or blocks. The computer 
program instructions may be executed by a processor to 
cause a series of operational steps to be performed by the 
processor to produce a computer implemented process such 
that the instructions which execute on the processor provide 
steps for implementing the functions specified in the flow- 
chart block or blocks. 

Accordingly, blocks of the flowchart illustrations support 
combinations of means for performing the specified 
functions, combinations of steps for performing the speci- 
fied functions and program instruction means for performing 
the specified functions. It will also be understood that each 
block of the flowchart illustrations, and combinations of 
blocks in the flowchart illustrations, can be implemented by 
special purpose hard ware -based systems which perform the 
specified functions or steps, or combinations of special 
purpose hardware and computer instructions. 

The present invention provides for generating crypto- 
graphic keys and random numbers using user specific infor- 
mation such as users' s user identification (userlD) data as 
well as users's biometric data. While userlD data and 
biometric data are fundamentally different, the two data 
types have characteristics in common which may be 
exploited in providing user dependent cryptographic keys. 
For example, some of the differences in userlD and biomet- 
ric data can be identified as follows: 

1) AuserlD is assigned to a user, whereas biometric data 
is obtained or derived from the user. Mathematically 
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speaking, a user's userlD is an independent variable, 
whereas a user's biometric data is a dependent variable. 

2) A user's userlD can be changed. A user's biometric data 
cannot be changed. At most, a user can attempt to 
switch from one biometric to another biometric (e.g., 
fingerprint to hand geometry). 

3) Generally, the set or space of user identifiers may be 
dense, making it feasible to enumerate the set of user 
identifiers. Generally, the space of user biometric data 
is not dense, making it infeasible to enumerate the 
biometric data for each user. 

4) Biometric data can be used to authenticate a user while 
userlD data cannot be used to authenticate a user. 

5) A userlD is a constant. User biometric data is not 
constant. 

However, the similarities in userlD and biometric data 
which may be utilized to provide user dependent crypto- 
graphic keys can be identified as follows: 

1) A userlD is different for each user and biometric data 
is generally different for each user. Note that, in some 
cases, it may happen that the biometric data for one 
user overlaps (in whole or in part) with another user. 
The degree to which this may occur can depend on a 
combination of the biometric method being employed 
and the sensitivity of the biometric reader devices being 
employed. 

2) A userlD is non-secret data. Biometric data should be 
considered as non-secret data, although in some vendor 
proprietary systems user biometric data is encrypted 
(i.e., protected). Since there is no practical way to 
prevent the capture of user biometric data outside the 
biometric system, it is false to assume that the secrecy 
of user biometric data can be maintained over time. 

3) Biometric data, like userlD data, can be used to identify 
users. In fact, in some sense, biometric data offers a 
better mechanism for user identification, since biomet- 
ric data provides a mechanism of positive 
identification, whereas userlD data, until verified via a 
separate authentication protocol, is only representative 
of a claimed identity. 

One potential advantage to using biometric data as the 
user specific information is that with biometric data, there is 
potentially an easy mechanism for the user to prove their 
identity, especially if the user carries their biometric certifi- 
cate on a portable token (e.g., smart card). With a userlD, the 
presumed or claimed identity of the user is known, however, 
the user to whom the key or cryptographic variable belongs 
will not necessarily have an easy means to prove that they 
are that user. A user will not always carry sufficient creden- 
tials to prove their identity (e.g., birth certificate or 
passport). 

Utilizing the above characteristics of userlDs and biomet- 
ric data, the alternative embodiments of the present inven- 
tion provide for the generation of cryptographic keys 
through differing modifications of key generation proce- 
dures as described in FIG. 3. As seen in FIG. 3, the present 
invention provides for generating a user dependent key 
value by first obtaining user specific information (block 
100). A key generation procedure is then modified using the 
user specific information (block 102) and a user dependent 
key value generated utilizing the modified procedure (block 
104). As used herein, the term "user specific information" 
refers to user identification data or biometric data as 
described above or a combination of user identification data 
and biometric data for a user. As described above, such 
information should not be assumed to be secret. Thus, the 
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alternative embodiments of the present invention assume In the present invention, the key generation process is 

that the user specific information is non -secret information. dependent on user-specific data, such as a userlD or bio- 

A first alternative embodiment of the modification of key metric data, which provides an additional benefit in reducing 

generation procedures is illustrated in FIG. 4. The operations the likelihood that two users will randomly generate the 
of FIG. 4 illustrate a particular embodiment for the opera- 5 same key sequence. Even if the PRNGs of two different 

tions of block 102 of FIG. 3. As seen in FIG. 4, the processor uscrs are accidentally initialized with the same secret seed 

38 may obtain the secret seed value 70 from memory 36 value? ut iu zing the present invention, the PRNGs will not 
(block 110). The secret seed value is then combined with atc thc samc of pscudo random numbcrs , 

user specific information such as the biometnc data 72 or a Whi]e u ^ stm ibJe for a do random QUmber . Q the 

user identification (block 112). This combination may be _ f * u i * a 

. t . , t . , v J c t . -c • r 30 generated sequence tor one user to be equal to a pseudo 

obtained through a concatenation of the user specific infer- to , ? . t . M r 

mation with the secret seed value. The concatenated user f andom n T ber m * c ^"ted sequence for anottier user 

specific information and seed value may then be used as a b ^ P ure ch f ™> * shou ] d never be th 5 case the "J™ 

seed for a key generation procedure such as a pseudo sequence of pseudo random numbers for one user would be 

random number generator (PRNG), Such a seed value may e 9 ual t0 the entire sequence of P seudo random numbers for 

be utilized with any number of PRNG procedures or other 15 another user if the present invention is employed, 

key generation procedures such as, for example, described in Consider an example in which the length of the generated 

Schneier, B., "Applied Cryptography" 2nd edition, John pseudo random numbers is 160 bits, there are 2 40 users, and 

Wiley & Sons Inc, 1996. each user is expected to generate no more than 2 40 pseudo 

As will be appreciated by those of skill in the art, a PRNG random numbers. In that case, the total expected number of 

is a procedure for generating pseudo random numbers. A 20 generated pseudo random numbers is 2 40 x2 40 =2 80 . By the 

PRNG is typically initialized with one or more secret seed birthday problem, the probability of finding a matching pair 

values that are used by the PRNG to generate its pseudo of numbers is about l A. And, in fact, one might find a few 

random numbers. However, it is often convenient, and it will matching pairs (1 , 2, or 3 pairs). But, it is highly unlikely that 

be the practice used in describing the present invention, to one would find many such matching pairs. For all practical 

refer to the PRNG as having only one such secret seed value. 25 purposes, each user would generate a unique set of 160-bit 

If there is more than one seed value, these multiple seed pseudo random numbers, regardless of whether the present 

values may be collected within a single structure or com- invention is practiced or not, provided that the initial seed 

posite seed value, thus allowing the multiple seed values to value used by each PRNG has enough entropy, which is a 

be referred to as a single composite seed value. The PRNG reasonable assumption to make. But, by making the PRNG 

itself can parse the composite seed value to recover the 30 generation process dependent on user-specific data, one is 

multiple seed values and then use these multiple seeds also guaranteed that no two users can accidentally select the 

values internally in any way it sees fit. The initial secret seed same starting seed value, and hence no two users can 

value may remain constant, or it may change as a result of accidentally generate the same output sequence of pseudo 

PRNG processing. random numbers. 

The pseudo random numbers generated by a PRNG are 35 Furthermore, the present invention also provides a capa- 
often used as inputs to a key generation process. The key bility for users to prove that a generated pseudo random 
generation process may be simple, e.g., the generated number belongs to their particular sequence of generated 
pseudo random number may be used directly as a key, or the pseudo random numbers, provided that the user saves the 
key may be produced by adjusting parity bits in the pseudo initial secret seed value and user-specific data, e.g., by 
random number (e.g., as in a Data Encryption Standard 40 archiving this information in a protected location. In the 
(DES) key), or, the key generation process may be complex, event of an audit, the user first recovers the secret seed value 
as in the case of RSAkey generation. The present invention, and the user-specific data, initializes the PRNG, and re gen- 
there fore, should not be construed as limited to a particular erates their sequence of pseudo random numbers until the 
key generation process. pseudo random number, in question, is successfully gener- 

For some PRNGs the specification of a seed value may be 45 ated. The user must also prove that the user-specific data 

inappropriate because the user specific information may be provided to the PRNG belongs to them. An attacker could 

non-secret, and a seed consisting of a secret component duplicate this process, and generate pseudo random numbers 

concatenated with a non-secret component may be too to attack any one particular user, but the generated sequence 

structured and, therefore, undesirable or unwanted. Thus, as of pseudo random numbers for one user could not be used 

is illustrated in FIG. 4, any structure in the seed may be 50 to attack another user. Therefore, use of the present inven- 

eliminated by further subjecting the concatenated seed to a tion can make the work of the attacker more difficult, 

mixing step to remove the structure in the concatenated FIG. 5 illustrates an alternative embodiment of the present 

value, and, thereby, to ensure that the entropy in the seed invention which, rather than modifying the seed value of a 

value is distributed, preferably uniformly, over the entire key generation procedure, modifies the output of the key 

seed value (block 114). For example, the seed value could be 55 generation procedure. The operations of FIG. 5 correspond 

defined as seed-f(R,B) where (R,B) is the concatenation of to the operations of block 102 and 104 of FIG, 3. As is seen 

the secret seed value and the user specific information and in FIG. 5, a key value is generated utilizing a conventional 

where f is the 1-to-l mixing function described in Matyas, key generation procedure (block 200). The generated key is 

M., Peyravian, M., Roginsky, A., and Zunic, N., "Reversible then hashed with the non-secret user specific information 

data mixing procedure for efficient publickey encryption/' 60 (block 202) and the hashed values concatenated to provide 

Computers & Security Vol. 17, No. 3, (265-272) 1998, the sufficient bits for the final key value(block 204). The final 

disclosure of which is incorporated herein as if set forth key value is then determined by selecting the n bits of the 

fully. Those skilled in the art will appreciate that in this final key value from the concatenated hash values to provide 

alternate embodiment of the present invention, the opera- a user dependent key value (block 206). 

tions used by the PRNG to generate its pseudo random 65 In the alternative embodiment of FIG. 5, a pseudo random 

numbers are not adversely affected by the composition of the number R, which generated by a PRNG and used as the 

seed value. initial key value, and user specific information 9 for a 
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particular user are processed in a complex function to 
generate an n-bit secret pseudo random number S. S may be 
used as a key or as an input to a key generation algorithm. 
In a particular embodiment of the alternative embodiment 
illustrated in FIG. 5, the hash and concatenation operations 
are carried out by evaluating: 

Z-fl(^/?)l[ff(/?+l^)|[ff(R+2 f fl)|| . . . MR+OtB) 

where a«[n/h]-l, and fx] denotes the smallest integer 
greater than or equal to x (i.e. a is the largest integer less than 
n/h) and where n is the number of bits in the final key value 
and h is the number of bits resulting from the hash operation. 
For example, if x=3.2, then fx] =4. The symbol "If denotes 
the concatenation operation. Then the final key value S may 
be n specific bits of Z (e.g., the n left-most bits of Z). 

When H is a strong collision-resistance one-way hash 
function, such as the SHA-1 hash operation described in 
Schneier, B., "Applied Cryptography," 2nd edition, John 
Wiley & Sons Inc, 1996, it is infeasible to derive either R or 
B from Z. Also, no information about Z is revealed if at least 
one of the two input values (i.e., R or B) is not available. 

In a particular implementation of the alternative embodi- 
ment of FIG. 5, the user may store the value of R and 
generate S from R and B on demand, when S is needed. For 
example, S might be an encryption key. In that case, R might 
be encrypted and stored within a cryptographic subsystem. 
Whenever the user needs to encrypt/decrypt with S, the user 
specific information B is obtained, and input to the crypto- 
graphic system, R is decrypted, and S is then computed from 
R and B. In case of an audit, the user can provide R and B, 
thus allowing an independent third party to verify that S is 
indeed computed from R and B. An adversary would be 
unable to perpetrate an attack by directly generating trial 
values of S, since there would be no way in which values for 
R and B could be computed in order to pass a later audit. The 
adversary would be forced to generate trial values for R, and 
then compute S from R using some particular user's B. Thus, 
an adversary could perpetrate an attack against one user but 
could not perpetrate an attack against many users at once, 
which is often the case unless specific defenses are put in 
place to prevent such an attack. 

FIG. 6 A illustrates a further embodiment of the present 
invention. The operations of FIG. 6 A correspond to the 
operations of block 102 and 104 of FIG. 3. In the embodi- 
ment of FIG. 6A, an initial key value is generated utilizing 
a conventional key generation procedure such as through the 
use of a PRNG (block 220). A hash value of the user specific 
information is also generated (block 222) and concatenated 
to provide at least as many bits as the final key value (block 
224). Then, n bits of the concatenated hash value are 
selected to provide an intermediate hash value (block 226) 
(where n is the number of bits in the final hash value). The 
selected n bits of the concatenated value are then combined 
with the initial key value through, for example, XOR' sing 
the intermediate hash value with the initial key value to 
provide the final, user dependent, key value (block 228). 

In the alternative embodiment of the present invention 
illustrated in FIG. 6A, a pseudo random number R generated 
by a PRNG (in advance or dynamically) and user specific 
information B for a particular user are combined via a simple 
function (e.g., an Exchisive-OR operation) to generate an 
n-bit secret pseudo random number S. S may be used as a 
key or as an input to a key generation procedure. 

In a particular embodiment of the alternative embodiment 
illustrated in FIG, 6 A, the hash and concatenation operations 
are carried out by evaluating: 

Z«H(B)\\H(B-H)\\tf(B+2)\\ . . . \\H(B + a) 
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where a=[n/h]-l, and ]xf denotes the smallest integer 
greater than or equal to x (i.e. a is the largest integer less than 
n/h) and where n is the number of bits in the final key value 
and h is the number of bits resulting from the hash operation. 

5 The symbol "||" denotes the concatenation operation. Then 
the intermediate hash value S may be n specific bits of Z 
(e.g., the n left-most bits of Z). The final, user dependent key 
value may then be generated by determining S=R©S. 

FIG. 6B illustrates a particular implementation of the 
embodiment of the present invention illustrated in FIG. 6 A. 
An example illustrating the use of the described method 
would be a host system supporting multiple users, where the 
host makes use of a single secret master key R and each user 
"i" has a dynamically generated variant key S f computer 
from X t ., the user specific information for user "i" and R. 

15 As seen in FIG. 6B, the key value is generated utilizing a 
conventional key generation process (block 220). This initial 
key value is then combined with a pre-computed interme- 
diate hash value based on the user specific information 
(blocks 225 and 228). Thus, when a user requires a key to 

20 be generated, all that need be generated is the initial key 
which may be done utilizing a conventional process and then 
the pre-computed intermediate hash value XOR'ed with the 
initial key to provide the final user dependent key value. 
Thus, the embodiment of the present invention illustrated in 

25 FIG. 6B may be readily implemented as an add-on feature 
to existing encryption methodologies or applications. 
Furthermore, only minimal processing capabilities need be 
utilized because of the use of a pre-computed hash value and 
the simple operation utilized to combine the hash value and 

30 the key value. Accordingly, the embodiment of FIG. 6B may 
be suitable for portable computing or "pervasive computing" 
devices such as smartphones, personal data assistants, or the 
like, with limited processing capabilities and limited battery 
life. 

35 As a result of the use of a hash function which would have 
a hash function collision probability, there is no guarantee 
that a key or random number derived for a user will be 
unique. For example, two users with different biometric data 
may end up having the same S because of the results of the 

40 hash function. The probability of two users ending up with 
the same S will be quite small if n and h are chosen to be 
large. However, the probability does exist. 

FIG. 7 illustrates an embodiment of the present invention 
which guarantees that two different users will generate 

45 different key values. The operations of FIG. 7 correspond to 
the operations of block 102 and 104 of FIG. 3. As seen in 
FIG. 7, the space of all potential key values (i.e. 2" for an 
n-bit key value) is divided into 2 b subspaces where b is the 
number of bits of user specific information and where n>b 

so (block 300). Note that each of the 2 b subspaces contain key 
values having n bits. One of the subspaces is then selected 
based on the user specific information of a particular user 
(block 302). The user dependent key value is then selected 
from the subspace selected by the user specific information 

55 (block 304). Optionally, the selected key may be further 
mixed (block 306) utilizing a mixing function, such as the 1 
to 1 mixing function described above. 

As an example, a way to divide an n-bit space into 2 b 
sub-spaces is to take the first b bits from the user specific 

60 information and allow the remaining n-b bits to take any 
value (e.g. concatenating a random value of n-b bits with the 
b bits of the user specific information). The b-bit user 
specific data may include a t-bit field which indicates the 
type of biometric data (e.g., fingerprint, hand geometry, iris 

65 pattern, facial features, etc.). 

As described above, if the operations illustrated in FIG, 7 
are terminated at block 304, the generated random number 
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or key is, in general, highly structured. In this case, the 
generated n-bit cryptographic variable (random number or 
key) consists of a user-specific portion of b bits (e.g., 
biometric data) and a random secret portion of n-b bits. If the 
user-specific portion is a userlD, then the user-specific 
portion would be a non-secret constant value for each user. 
If the users-pecific portion is biometric data, then the user- 
specific portion might still be non-secret and contain struc- 
ture or redundancy. In either case, it could be undesirable for 
a key or random number to contain so much predictability in 
some particular portion of it which might give an attacker 
some advantage. Thus, it may be advantageous to employ a 
mixing function to mix the user-dependent key or random 
number so that the secret entropy in it will be uniformly 
spread over the entire key or random number. 

As illustrated in optional block 306 of FIG. 7, the n-bit 
key or random value produced is subjected to a further 
mixing operation. The n-bit key or random value, produced 
using the above scheme, is mixed using a 1-to-l mixing 
function to produce the final value. One such suitable 1-to-l 
mixing function is the reversible data mixing function 
described in Matyas, M., Peyravian, M., Roginsky, A, and 
Zunic, N., "Reversible data mixing procedure for efficient 
public-key encryption," Computers & Security Vol. 17, No. 
3, (265-272) 1998, which can be applied to any arbitrary 
n-bit input. 

The specification of the b bits of user-specific information 
can be further explained, and amplified on. In certain cases, 
the values of n and b will be specified or fixed. In that case, 
the length of the user-specific information L may be less than 
b (L<b), equal to b (L=b), or greater than b (L>b). If L=b, 
then the entire user-specific information is used as the 
desired b bits. If L<b, then the desired b bits can be obtained 
as a function of the user-specific information, e.g., by tiling 
the user-specific information and selecting the first b bits 
from the tiled user-specific information. If L>b, then b bits 
can be obtained as a function of the user-specific 
information, e.g., by hashing the user-specific information 
using a method such as the method described in FIG. 6A and 
selecting b specific bits of Z where Z«H(B)||H(B+1)||H(B+ 
2)|| . . . |(B+a). 

As an example of the use of the embodiment of the 
present invention described in FIG. 7, in a public key system 
based on the RSA algorithm, the public modulus is the 
product of two large prime numbers. It has been suggested 
that two users with different moduli might have a common 
prime factor in their moduli, either by accident or because of 
a poor design (design flaw) in the system. If Nj-pjxq^ and 
N 2 =p 2 xq 2 , where (say) P^Ps, then it is easy to find p A or P 2 
given Nj and N 2 and, i.e., an efficient algorithm exists to find 
the common factor p 1 or P 2 given and N 2 . If such a 
common prime factor were to exist, and this fact were 
discovered, then it would be also be an easy matter to factor 
each modulus into its prime factors. This, of course, would 
allow the private keys to be computed from the correspond- 
ing public keys, and hence, for the security of the keys to be 
compromised. The present invention can guarantee that no 
two users would inadvertently generate the same prime 
numbers in their respective keys. 

While the present invention does not guarantee that the 
same user will not accidentally generate the same primes, if 
the user saves all prior moduli, it could be readily deter- 
mined if the newly generated primes are factors of any 
previously generated moduli. Such testing would be up to 
the user, and totally under the user's control, both to save 
prior moduli and test these moduli. The really difficult and 
insurmountable problem would be to test one user's primes 



against the moduli for all other users. The present invention 
obviates the need for such testing. 

Another benefit of the utilization of the present invention, 
is that by making the key or random number generation 

5 process dependent on user-specific data, such as a userlD or 
biometric data, one has the ability to later prove that a 
generated key or random number belongs to a particular 
user. In this regard, the present invention can provide a 
means to "brand" a key or random number so that its rightful 

10 user can be determined. This branding feature may ensure 
that a user can prove that a key or random number is one 
belonging to, or generated in, bis designated space of keys 
or random numbers and that a user cannot deny that a key 
or random number is one belonging to, or generated in, his 

15 designated space of keys or random numbers. 

FIG. 8 illustrates operations according to a further 
embodiment of the present invention which utilizes the 
branded key or value to authenticate the source of the value. 
As seen in FIG. 8, the branded value is received (block 400) 

20 and entity specific information (such as the user specific 
information described above) is recovered from the received 
branded value. The branded value is preferably a value 
which has been generated in a manner described above 
according to the various embodiments of the present inven- 

25 tion utilizing the user specific information to provide the 
branded value. After recovering the entity specific 
information, this information is then utilized to determine 
the source of the branded value (block 404). As has briefly 
been described above, this recovery and evaluation may take 

30 the form of recreating the branded value utilizing the gen- 
eration procedure utilized by the source and then comparing 
this recreated value with the received value. Preferably, 
however, the recovery and evaluation are performed by 
determining if the received value is a value from the 

35 subspace of the source. If such is the case, then the source 
of the branded value is authenticated. 

In a public key cryptosystem, consider the case where an 
adversary steals another user's private key, and then takes 
the public key and requests and receives a certificate for that 

40 public key from a certification authority (CA). In this case, 
the certificate binds the public key to the adversary's userlD. 
The adversary then signs with the stolen private key. Later, 
the adversary repudiates their signatures by claiming that the 
other party stole their private key. However, the branding of 

45 the present invention can defend against the described 
attack. If a dispute arises, the branded key will indicate 
which user is the authorized user. 

In case of a dispute, the user-specific information in the 
branded key or cryptographic variable is used to determine 

50 the identity of the user to whom the key belongs. If the 
user-specific data is a userlD, then the identity of the user is 
automatically known. If the user-specific data is biometric 
data, then the biometric data is used to establish the identity 
of the user, using a biometric identification process. The 

55 process of biometric identification consists of comparing the 
given biometric data against a set of biometric templates, 
e.g., a set of biometric templates stored in a central data 
base. We assume that for each such biometric template there 
is an associated userlD identifying the user to which the 

60 template pertains. If a "match" is found, then the identity of 
the user has been determined. 

However, if it were the case that the presumed identity of 
the user is given, then a biometric verification procedure 
could be used instead. If the biometric data stored in the key 

65 or cryptographic variable were a biometric template, then 
the user could be asked to provide a biometric sample, thus 
enabling the user to authenticated against the given biomet- 
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ric template. If the biometric data stored in the key or 
cryptographic variable were instead a biometric sample, 
then the biometric sample would have to be authenticated 
against a biometric template (for that user), e.g., a biometric 
template stored in a central data base or a biometric template 5 
contained in a trustworthy biometric certificate that itself 
could be validated. 

If the user specific information in the branded key or 
cryptographic variable has been hashed (as, for example, 
utilizing the operations of FIGS. 5 through 6B), then the 10 
procedure for determining the identity of the user to whom 
the key or cryptographic variable belongs operates differ- 
ently. In this case, the presumed or claimed identity is used 
to determine the associated or corresponding user-specific 
information, e.g., by locating this stored information within 15 
the system. This user specific information is hashed (using 
the same procedure originally used to generate the hashed 
value in the branded key or cryptographic variable) and then 
compared for equality with the hashed user-specific infor- 
mation in the branded key or cryptographic variable. If these 20 
two values are equal, then the identity of the user to whom 
the key or cryptographic variable belongs has been identi- 
fied. A similar procedure may be utilized for the generation 
operations illustrated in FIG. 4 by recreating the generated 
key utilizing the user specific information and the secret 25 
seed value of the source of the branded value. 

The present invention has also been described with ref- 
erence to the use of user specific information. User specific 
information could be a userlD or, biometric information or 3Q 
a combination of the two. In this regard, the present inven- 
tion provides a means to "brand" a key or random number 
so that its rightful user can be determined. Those skilled in 
the art will recognize that such branding is not limited to 
only users, but could be used to brand a key or value with 35 
information specific to and associated with an entity where 
the entity is other than a human user. For example, the user 
specific information could be used to brand information with 
a company identifier (company ID), thus enabling one to 
show that the branded value belongs to a specific company. AQ 
Whereas a biometric is associated with a specific user, an 
identifier could be associated with a user, group, 
organization, company, etc., and therefore the present inven- 
tion is not limited to a method of branding based only on 
user specific information. Thus, as used herein the term user 45 
specific information may also refer to entity-specific infor- 
mation. A human user is just an example of one type of 
entity. 

In several instances, the present invention has been 
described with respect to a pseudo-random-number gener- 50 
ated by a pseudo random number generator. Those skilled in 
the art will appreciate that the invention can be practiced 
instead using random numbers produced by a true random 
number generator, or using other values not necessarily 
random or pseudo random numbers, such as keys or cryp- S5 
tographic values defined or used for some other purpose 
within the system or using values provided to the procedure 
by some other source outside the system. Thus, the present 
invention may be utilized to operate on an initial crypto- 
graphic value irrespective of the manner in which the initial 60 
cryptographic value is obtained. 

In the drawings and specification, there have been dis- 
closed typical preferred embodiments of the invention and, 
although specific terms are employed, they are used in a 
generic and descriptive sense only and not for purposes of 65 
limitation, the scope of the invention being set forth in the 
following claims. 



That which is claimed is: 

1. A method of generating a cryptographic value, the 
method comprising the steps of: 

obtaining non-secret user specific information about a 
user; 

obtaining an initial cryptographic value; and 
modifying the initial cryptographic value with the non- 
secret user specific information so as to provide a user 
dependent cryptographic value by hashing the initial 
cryptographic value and the non-secret user specific 
information utilizing a one-way hash operation so as to 
generate the user dependent cryptographic value; 
wherein the user dependent key value (S) comprises n 
bits, wherein the results of the hash operation provides 
h bits and wherein the step of hashing comprises the 
steps of: 

determining an intermediate hash value (Z) utilizing the 
concatenation of hash values defined by, 

Z-i/(^B)[[W(«+l^)||H(i?+2^)|| . . . H(R+a,B) 

where H is the one way hash operation, B is the 
non-secret user specific information and a is the 
largest integer smaller than n/h; and 

selecting n bits from Z so as to provide the user 
dependent cryptographic value. 

2. A method according to claim 1, wherein the selected n 
bits comprise the n most significant bits of Z. 

3. A method according to claim 1, wherein the non-secret 
user specific information is biometric information. 

4. A method according to claim 1, wherein the non-secret 
user specific information is a globally unique user identifi- 
cation. 

5. A method according to claim 1, wherein the step of 
obtaining an initial cryptographic value comprises the step 
of generating a pseudo-random value utilizing a pseudo 
random number generator. 

6. A method of generating a cryptographic value, the 
method comprising the steps of: 

obtaining an initial cryptographic value; and 

obtaining a final intermediate value as a function of user 
specific information about a user; and 

combining the final intermediate value with the initial 
cryptographic value so as to provide a user dependent 
cryptographic value; 

wherein the user dependent cryptographic value (S) com- 
prises n bits and wherein the step of obtaining a final 
intermediate value comprises the steps of: 
determining a first intermediate hash value (Z) utilizing 
the concatenation of hash values defined by, 

Z=H(B)\\H(B+l)\\H(B+2)\\ . . . H(B+a) 

where H is the one way hash operation, B is the user 
specific information and a is the largest integer 
smaller than n/h where h is a number of bits resulting 
from the hash operation H; and 

selecting n bits from Z so as to provide the final 
intermediate value. 

7. A method according to claim 6, wherein the selected n 
bits comprise the n most significant bits of Z. 

8. A method according to claim 6, wherein the step of 
combining comprises the step of EXCLUSIVE ORing the 
initial cryptographic value and the final intermediate value. 

9. A method according to claim 6, further comprising the 
step of storing the final intermediate value so as to provide 
a pre -computed intermediate value and wherein the step of 



05/06/2004, EAST Version: 1.4.1 



US 6,687375 Bl 



17 



18 



obtaining an intermediate value comprises the step or 
obtaining the pre-computed intermediate value. 

10. A method according to claim 6, wherein the user 
specific information is biometric information. 

11. A method according to claim 6, wherein the user 5 
specific information is a globally unique user identification. 

12. A method according to claim 6, wherein the step of 
obtaining an initial cryptographic value comprises the step 
of generating a pseudo -random value utilizing a pseudo 
random number generator. 10 

13. A method of generating a cryptographic value, the 
method comprising the steps of: 

obtaining user specific information about a user; 

selecting a user dependent cryptographic value from a 
user specific range of cryptographic values based on the 15 
user specific information, wherein the user specific 
range of cryptographic values comprises a subspace of 
a range of potential cryptographic values from which a 
value generation procedure selects a cryptographic 
value; 20 

wherein the user specific information comprises b bits and 
the cryptographic values comprise □ bits, the method 
further comprising the steps of: 

dividing the range of potential cryptographic values 25 
into 2 b subspaces; and 

selecting one of the subspaces as the user specific range 
of cryptographic values based on the user specific 
information so as to provide the user specific range 
of cryptographic values. 3Q 

14. A method according to claim 13, further comprising 
the step of mixing bits of the selected user dependent 
cryptographic value so as to increase the uniformity of a 
distribution of entropy in the user dependent cryptographic 
value. 35 

15. A method according to claim 13, wherein the user 
specific information is a globally unique user identification. 

16. A method of authenticating a cryptographic value, the 
method comprising the steps of: 

obtaining entity specific information associated with a 40 
source entity; 

modifying a specified cryptographic value with the entity 

specific information to produce a branded value; 
receiving the branded value; 

recovering the entity specific information from the 45 
received branded value; and 

determining the source entity of the received branded 
value based on the recovered entity specific informa- 
tion; 

wherein the step of modifying a specified cryptographic 
value comprises the step of: 

modifying a seed value of a key generation procedure 
with the entity specific information so that the key 
generation procedure generates an entity dependent JS 
cryptographic key so as to provide the branded 
value; and 

wherein the steps of recovering the entity specific infor- 
mation from the received branded value and determin- 
ing the source entity of the received branded value 60 
based on the recovered entity specific information 
comprises the steps of: 

generating a second branded value utilizing an expected 
seed value and the entity specific information and the 
key generation procedure; and 55 

comparing the generated second branded value with the 
received branded value. 



17. A method according to claim 16, wherein the entity 
specific information comprises a globally unique user iden- 
tification associated with a user. 

18. A method according to claim 16, wherein the entity 
specific information comprises a company identification. 

19. A method of authenticating a cryptographic value, the 
method comprising the steps of: 

obtaining entity specific information associated with a 
source entity; 

modifying a specified cryptographic value with the entity 

specific information to produce a branded value; 
receiving the branded value; 

recovering the entity specific information from the 
received branded value; and 

determining the source entity of the received branded 
value based on the recovered entity specific informa- 
tion; 

wherein the step of modifying a specified cryptographic 
value comprises the step of: 

hashing the specified cryptographic value and the entity 
specific information utilizing a one-way hash opera- 
tion so as to generate the branded value; 
wherein the steps of recovering the entity specific 
information from the received branded value and 
determining the source entity of the received branded 
value based on the recovered entity specific infor- 
mation comprise the steps of: 
generating a second branded value by hashing an 

expected specified cryptographic value and the 

entity specific information utilizing the one-way 

hash function; and 
comparing the generated second branded value with 

the received branded value. 

20. A method of authenticating a cryptographic value, the 
method comprising the steps of: 

obtaining entity specific information associated with a 
source entity; 

modifying a specified cryptographic value with the entity 

specific information to produce a branded value; 
receiving the branded value; 

recovering the entity specific information from the 
received branded value; and 

determining the source entity of the received branded 
value based on the recovered entity specific informa- 
tion; 

wherein the step of modifying a specified cryptographic 
value comprises the steps of: 

obtaining a final intermediate value as a function of the 
entity specific information; and 

combining the final intermediate value with the speci- 
fied cryptographic value so as to provide the branded 
value. 

21. A method according to claim 20, 

wherein the steps of recovering the entity specific infor- 
mation from the received branded value and determin- 
ing the source entity of the received branded value 
based on the recovered entity specific information 
comprises the steps of: 

generating a second branded value by combining an 
expected specified cryptographic value and the final 
intermediate value; and 

comparing the generated second branded value with the 
received branded value. 

22. A method according to claim 16, wherein the step of 
modifying a specified cryptographic value comprises the 
step of: 
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selecting a value from an entity specific range of crypto- 
graphic values based on the entity specific information, 
wherein the entity specific range of cryptographic val- 
ues comprises a subspace of a range of potential 
cryptographic values from which a value generation 5 
procedure selects a cryptographic value so as to provide 
the branded value. 

23. A method according to claim 22, wherein the steps of 
recovering the entity specific information from the received 
branded value and determining the source entity of the 10 
received branded value based on the recovered entity spe- 
cific information comprises the step of: 

determining if the received branded values is within the 
entity specific range of cryptographic values associated 
with the source entity of the received branded value, is 

24. A system for generating a cryptographic value, com- 
prising: 

means for obtaining non-secret user specific information 
about a user; 

20 

means for obtaining an initial cryptographic value; and 
means for modifying the initial cryptographic value with 
the non-secret user specific information so as to provide 
a user dependent cryptographic value by hashing the 
initial cryptographic value and the non-secret user 25 
specific information utilizing a one-way hash operation 
so as to generate the user dependent cryptographic 
value; 

wherein the user dependent key value (S) comprises n 
bits, wherein the results of the hash operation provides 30 
h bits and wherein the means for modifying comprises: 
means for determining an intermediate hash value (Z) 
utilizing the concatenation of hash values defined by, 

z=h(r,bw(R+i ■ ■ • 35 

where H is the one way hash operation, B is the 
non-secret user specific information and a is the 
largest integer smaller than n/h; and 

means for selecting n bits from Z so as to provide the 
user dependent cryptographic value. 40 

25. A system for generating a cryptographic value, com- 
prising: 

means for obtaining an initial cryptographic value; and 

means for obtaining a final intermediate value as a func- 
tion of the user specific information about a user; and 45 

means for combining the final intermediate value with the 
initial cryptographic value so as to provide the user 
dependent cryptographic value; 

wherein the user dependent cryptographic value (S) com- 50 
prises n bits and wherein the means for obtaining a final 
intermediate value comprises: 

means for determining a first intermediate hash value 
(Z) utilizing the concatenation of hash values defined 

by, 5S 

Z=H(B)\\H(B+l)W(B+2)\\ . . . ff(B+a) 

where H is the one way hash operation, B is the user 
specific information ajid a is the largest integer 
smaller than n/h where h is a number of bits resulting go 
from the hash operation H; and 

means for selecting n bits from Z so as to provide the 
final intermediate value. 

26. A system for generating a cryptographic value, com- 
prising: 65 

means for obtaining user specific information about a 
user; 
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means for selecting a user dependent cryptographic value 
from a user specific range of cryptographic values 
based on the user specific information, wherein the user 
specific range of cryptographic values comprises a 
subspace of a range of potential cryptographic values 
from which a value generation procedure selects a 
cryptographic value; 

wherein the user specific information comprises b bits and 
the cryptographic values comprise n bits, the system 
further comprising: 

means for dividing the range of potential cryptographic 
values into 2 b subspaces; and 

means for selecting one of the subspaces as the user 
specific range of cryptographic values based on the 
user specific information so as to provide the user 
specific range of cryptographic values. 

27. A system for authenticating a cryptographic value, 
comprising: 

means for obtaining entity specific information associated 

with a source entity; 
means for modifying a specified cryptographic value with 

the non-secret entity specific information to produce a 

branded value; 
means for receiving the branded value; 
means for recovering the entity specific information from 

the received branded value; and 
means for determining the source entity of the received 

branded value based on the recovered entity specific 

information; 

wherein the means for modifying a specified crypto- 
graphic value comprises: 

means for modifying a seed value of a key generation 
procedure with the entity specific information so that 
the key generation procedure generates an entity 
dependent cryptographic key so as to provide the 
branded value; and 

wherein the means for recovering the entity specific 
information from the received branded value and the 
means for determining the source entity of the 
received branded value based on the recovered entity 
specific information comprises: 
means for generating a second branded value utiliz- 
ing an expected seed value and the entity specific 
information and the key generation procedure; and 
means for comparing the generated second branded 
value with the received branded value. 

28. A computer program product for generating a cryp- 
tographic value, comprising: 

a computer-readable storage medium having computer- 
readable program code means embodied in said 
medium, said computer-readable program code means 
comprising: 

computer-readable program code means for obtaining 
non-secret user specific information about a user; 

computer-readable program code means for obtaining 
an initial cryptographic value; and 

computer-readable program code means for modifying 
the initial cryptographic value with the non-secret 
user specific information so as to provide a user 
dependent cryptographic value by hashing the initial 
cryptographic value and the non-secret user specific 
information utilizing a one-way hash operation so as 
to generate the user dependent cryptographic value; 

wherein the user dependent key value (S) comprises n 
bits, wherein the results of the hash operation pro- 
vides h bits and wherein the computer readable code 
means for modifying comprises: 



05/06/2004, EAST Version: 1.4.1 



US 6,687375 Bl 



21 



22 



computer readable code means for determining an 
intermediate hash value (Z) utilizing the concat- 
enation of hash values defined by, 

where H is the one way hash operation, B is the 
non-secret user specific information and a is the 
largest integer smaller than n/h; and 
computer readable code means for selecting n bits 
from Z so as to provide the user dependent cryp- 
tographic value. 
29. A computer program product for generating a cryp- 
tographic value, comprising: 

a computer- readable storage medium having computer- 15 
readable program code means embodied in said 
medium, said computer-readable program code means 
comprising: 

computer-readable program code means for obtaining 
an initial cryptographic value; 20 

computer- readable program code means for obtaining a 
final intermediate value as a function of the user 
specific information about a user; and 

computer-readable program code means for combining 
the final intermediate value with the initial crypto- 2 s 
graphic value so as to provide the user dependent 
cryptographic value; 

wherein the user dependent cryptographic value (S) 
comprises n bits and wherein the computer-readable 
program code means for obtaining a final interme- 30 
diate value comprises: 

computer-readable program code means for deter- 
mining a first intermediate hash value (Z) utilizing 
the concatenation of hash values defined by, 



2*77(7J)||7/(/J+l)I| . . . /f(0+2)|| . . . 7/(B+a) 
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where H is the one way hash operation, B is the user 
specific information and a is the largest integer 
smaller than n/h where h is a number of bits 
resulting from the hash operation H; and 
computer-readable program code means for select- 
ing n bits from Z so as to provide the final 
intermediate value. 
30. A computer program product for generating a cryp- 
tographic key, comprising: 

a computer- readable storage medium having computer- 
readable program code means embodied in said 
medium, said computer- readable program code means 
comprising: 50 
computer-readable program code means for obtaining 

user specific information about a user; 
computer-readable program code means for selecting a 
user dependent cryptographic value from a user 
specific range of cryptographic values based on the 5S 
user specific information, wherein the user specific 
range of cryptographic values comprises a subspace 
of a range of potential cryptographic values from 
which a value generation procedure selects a cryp- 
tographic value; 



wherein the user specific information comprises b bits 
and the cryptographic values comprise n bits, the 
computer program product further comprising: 
computer-readable program means for dividing the 
range of potential cryptographic values into 2 b 
subspaces; and 
computer-readable program means for selecting one 
of the subspaces as the user specific range of 
cryptographic values based on the user specific 
information so as to provide the user specific 
range of cryptographic values. 
31. A computer program product for authenticating a 
cryptographic value, comprising: 

a computer-readable storage medium having computer- 
readable program code means embodied in said 
medium, said computer-readable program code means 
comprising: 

computer-readable program code means for obtaining 
entity specific information associated with a source 
entity; 

computer-readable program code means for modifying 
a specified cryptographic value with the non-secret 
entity specific information to produce a branded 
value; 

computer-readable program code means for receiving 
the branded value; 

computer-readable program code means for recovering 
the entity specific information from the received 
branded value; and 

computer- readable program code means for determin- 
ing the source entity of the received branded value 
based on the recovered entity specific information, 

wherein the computer-readable program code means 
for modifying a specified cryptographic value com- 
prises: 

computer-readable program code means for modify- 
ing a seed value of a key generation procedure 
with the entity specific information so that the key 
generation procedure generates an entity depen- 
dent cryptographic key so as to provide the 
branded value; and 

wherein the computer-readable program code means 
for recovering the entity specific information from 
the received branded value and the computer- 
readable program code means for determining the 
source entity of the received branded value based 
on the recovered entity specific information com- 
prises: 

computer-readable program code means for gen- 
erating a second branded value utilizing an 
expected seed value and the entity specific 
information and the key generation procedure; 
and 

computer-readable program code means for com- 
paring the generated second branded value 
with the received branded value. 
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